Android: Camera Can Remain Active When Phone is Locked

Mozilla says it will fix the bug later this year, in October.

Mozilla says it's working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked.

The bug was first spotted and reported to Mozilla a year ago, in July 2019, by an employee of video delivery platform Appear TV.

The bug manifests when users chose to video stream from a website loaded in Firefox instead of a native app. more

Santa and Cuebiq Know if You've Been Naughty or Nice

After Memorial Day, as the United States began to reopen, coronavirus cases began to rise...

For the Fourth of July weekend, a new analysis of cell phone data suggests even more people hit the road among 10 coronavirus hotspots, despite warnings from health experts.

The analysis comes from data shared with CNN by Cuebiq, one of the private companies that the US Centers for Disease Control and Prevention uses to track general movement in the United States. 

Cuebiq gets its data when people download apps on their phones and opt into anonymous location data tracking. The company's full data set includes 15 million phones nationwide. more

How attackers hack mobile networks...

...and get access to free data, locations, wiretap calls and more.  

A fairly detailed and interesting article for the technically curious. more

Alliance Trust Savings Censured After Whistleblower’s ‘Spying’ Concerns

A Dundee-based financial firm has been censured by the Information Commissioner over the use of a mobile app which allowed it to access an “excessive amount” of employees’ sensitive personal data...

Alex Forootan, 36, began investigating after receiving an unexpected text message from Microsoft saying someone had attempted to access his email account.

Mr Forootan worked as a database administrator at ATS’s Dundee headquarters between October 2017 and October last year and is set to take the company to an employment tribunal next month.

He recently rejected a £10,000 pay out from ATS over the issue, citing concerns about his ability to raise it to public attention should he accept. more

Pew Comments on Relationship Health - It Stinks

Most Americans think snooping on a partner’s phone is a bad thing to do, but that hasn’t stopped more than a third of people in committed relationships from doing it anyway, according to Pew research published Friday.

Of those surveyed, 34 percent of people in committed relationships admitted to snooping on their partner’s phone without their knowledge. Interestingly, the survey also found that 42 percent of women (who are in relationships) say they’ve snooped through their current partners’ phones without them knowing, while just 25 percent of men say they have.

As many of us find ourselves cooped up with our partners and our phones for the foreseeable future, the researchers suggest that using this technology is not necessarily great for the health of our long-term relationships. more

Spies Keep Sneaking Malware Into Google Play

Google's Play Store for Android apps has never had a reputation for the strictest protections from malware. Shady adware and even banking trojans have managed over the years to repeatedly defy Google's security checks.

Now security researchers have found what appears to be a more rare form of Android abuse: state-sponsored spies who repeatedly slipped their targeted hacking tools into the Play Store and onto victims' phones.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store...

Once Kaspersky had identified the PhantomLance apps, its researchers were able to match their code with older malware used by OceanLotus, which has been active since at least 2013. more

Surveillance App Reworked for Coronavirus Alerts

Health officials in Britain are building an app that would alert the people who have come in contact with someone known to have the coronavirus. The project aims to adapt China’s tracking efforts for countries wary of government surveillance.

The project is an urgent effort by the British authorities to translate a surveillance tool deployed to fight China’s outbreak into something more palatable in Western democracies. The app is being developed for use in Britain, but could be adapted for other countries, particularly those with similarly centralized health systems, officials said.

The catch... Unlike the smartphone-tracking system used by the Chinese government, the British project would rely entirely on voluntary participation and would bank on people sharing information out of a sense of civic duty. more

Will Working from Home Increase Business Espionage Opportunities

I received a question today about inductive coupling; gleaning computer data leaked on to power lines (aka, mains) from keyboards, screens, etc. The person mentioned this was possible if the residences shared the same power transformer.

"So, does the increase in work-from-home offices these days increase the business espionage threat?"

Interesting question. Got me thinking.

I replied...
You're correct about sharing a transformer. Information can be induced onto the mains and intercepted on that side of the circuit. Several floors in an apartment building and usually 3-4 homes in a residential neighborhood can share one transformer.

But, let's think this through...
Back before we all became computerized the mains lines were relatively noise-free. Carrier-current bugs and wireless intercoms worked quite well for transmitting audio. These days, the noise level is a digital cacophony, created by everyone who shares the circuit.

The very low signal level a keyboard might contribute would be difficult to hear. Segregating the signal from other digital noise would also be a challenge. With diligence and the right instrumentation deciphering this digital data is doable. It would not be a nosy neighbor doing this. If you got that far, you're probably a government and the home worker has a bigger than average problem.

Realistically speaking...
A fairly static group of mains users also reduces risk. Your neighbors aren't deep cover spies who have waited years for the chance you might be forced to work from home. Moving into a neighborhood or apartment building with spying intentions is possible, but not easy to do on a moments notice. There are easier ways to obtain even more information, with a lot less work, and greater chance of success.

Worry about these things...
The weak links in a home office are: the computer, wireless keyboards, Wi-Fi, and internet modems. Current versions of wireless keyboards use Bluetooth (30 foot range) with some pretty good security features. As for date leaking onto the mains... Most smart people use a UPS battery backup with filtering for their computers, so no problem there. For anyone without a UPS getting one is a very worthwhile recommendation for multiple reasons.

Threats the average home office faces...

• shared cable internet, 
• Wi-Fi signal hacking, 
• spyware viruses (data, audio and video compromise), 
• Wi-Fi connected printer intercepts, 
• information phishing scams, 
• and none of the usual enterprise type protections. 

Attacks can be instituted by anybody, some staged from anywhere. Being on one side of a transformer isn't necessary. No need to tap the mains.

Imagine this...

• Step #1: The spy purchases a USB Rubber Ducky (to crack into the computer) and an o.mg cable (to crack into the smartphone). Total cost: <$200.00.
• Step #2: Spy plops these into an old Amazon box and mails it to "the mark."
• Step #3: Mark goes, "Wow, cool. I didn't order this. Amazon must have screwed up. Not worth sending back. I'll keep it."
• Step #4: Mark plugs this windfall into his computer and phone.
• Step #5: Gotcha! 

Think this isn't already happening? Think again. The USB Rubber Ducky is now on backorder.

Your company needs to have a technical security consultant on retainer—because there is more to know.

Schools Using Kids' Phones to Track and Surveil Them

Teachers often lament that phones can be a distraction in classrooms. Some governments have even banned phones outright in schools. But a few school administrations see phones in schools as a benefit because they can help keep track of students more efficiently.

At least 10 schools across the US have installed radio frequency scanners, which pick up on the Wi-Fi and Bluetooth signals from students' phones and track them with accuracy down to about one meter, or just over three feet, said Nadir Ali, CEO of indoor data tracking company Inpixon.

His company has been in talks with other school districts, and a few schools in the Middle East are also considering the product... more

Spybuster Tip #632: Fortify Your Two-factor Authentication

Two-factor authentication is a must, but don't settle for the SMS version. Use a more secure authenticator app instead.

 The most popular authenticator apps are Google Authenticator and Authy, but password managers 1Password and LastPass offer the service as well, if that helps you streamline. If you're heavy into Microsoft's ecosystem, you might want Microsoft Authenticator. While they all differ somewhat in features, the core functionality is the same no matter which one you use. more

How People Turn iPhones into Bluetooth Bugs

With iOS 12, Apple added a feature, called Live Listen, which essentially turns your AirPods into on-demand hearing aids. 

There's a bit of setup you'll need to do, but once it's done, you can place your phone on a table closer to the person you're talking to and it will send audio to your AirPods.

On your iPhone go to Settings > Control Center > Customize Controls and tap on the green "+" symbol next to the Hearing option. Then, when you need to use the feature put in your AirPods and open Control Center on your iPhone and select the Hearing icon followed by Live Listen. Turn off the feature by repeating those final steps in Control Center. more

Corporate Espionage Alert: If a person excuses themselves from a business meeting to go to the restroom (or other excuse)... NEVER continue the discussion thinking they won't know. They may be using this trick to listen in to what you are saying. More sage corporate counterespionage advice here.

Toga! Toga! Toga! ...SCIF Fight!

SCIF fight shows lawmakers can be their own biggest cybersecurity vulnerability.

About two dozen House Republicans enter a sensitive compartmented information facility (SCIF) where a closed session before the House Intelligence, Foreign Affairs and Oversight committees took place.

A group of House Republicans could have created a field day for Russian and Chinese intelligence agencies when they stormed into a secure Capitol Hill room where their colleagues were taking impeachment testimony yesterday with their cellphones in tow. more

"You're all worthless and weak!" ~Doug Neidermeyer

Husband Ordered to Pay Almost $500K After Bugging Wife’s iPhone

The chairman of a performing arts school in Brooklyn has to pay an almost $500,000 verdict after he installed spying software in his estranged tobacco-heiress wife’s iPhone...

Jurors ordered Crocker Coulson, Brooklyn Music School chairman, to pay Anne Resnik $200,000 in compensatory damages, $200,000 in punitive damages, and $41,500 in statutory damages—or $100 for each of the 415 days he accessed her phone between 2012 and 2014.

Coulson was also ordered to pay $10,000 to Resnik’s mom, sister, and psychiatrist because he also intercepted their communications by spying on his wife. more

Has Your Doctor (or other Professional) Downloaded Apps With Microphone Access?

via Robinson & Cole LLP - Linn Foster Freedman

As I always do when talking to people about their phones, I asked them to go into their privacy settings and into the microphone section and see how many apps they have downloaded that asked permission to access the microphone. How many green dots are there? Almost all of them looked up at me with wide eyes and their lips formed a big “O.”...

I am not picking on them—I do the same thing with lawyers, financial advisors and CPAs, and any other professional that has access to sensitive information.

When a professional downloads an app that allows access to the microphone, all of the conversations that you believe are private and confidential are now not private and confidential if that phone is in the room with you. more

The O.MG Cable™ — The Smartphone Electro-Leach

via Blue Blaze irregular C.G.

The O.MG Cable™ is the result of months of work that has resulted in a highly covert malicious USB cable. As soon as the cable is plugged in, it can be controlled through the wireless network interface that lives inside the cable.

 

The O.MG Cable allows new payloads to be created, saved, and transmitted entirely remotely. 

 

The cable is built with Red Teams in mind with features like additional boot payloads, no USB enumeration until payload execution, and the ability to forensically erase the firmware, which causes the cable to fall entirely back to an innocuous state. And these are just the features that have been revealed so far. more 

 

Their other "interesting" products of which you should be aware.

iPhone iMessage iHacked

When you think about how hackers could break into your smartphone, you probably imagine it would start with clicking a malicious link in a text, downloading a fraudulent app, or some other way you accidentally let them in.

It turns out that's not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.

At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched six of them, a few have yet to be patched...

The six vulnerabilities Silvanovich found—with more yet to be announced—would potentially be worth millions or even tens of millions of dollars on the exploit market. more

Our 41 Smartphone Security Tips.

AT&T Employees Took Bribes to Plant Malware

 One AT&T employee made $428,500.

AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware on the company's network, the Department of Justice said yesterday...

The bribery scheme lasted from at least April 2012 until September 2017...

The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money. more


Remember this survey from 2016? "One in five employees said they would sell their passwords."

The Point: Quarterly Technical Information Security Surveys mitigate this risk, and prove due diligence.

Android Smartphone Alert: Spearphone Eavesdropping

A Spearphone attacker can use the accelerometer in LG and Samsung phones to remotely eavesdrop on any audio that’s played on speakerphone, including calls, music and voice assistant responses. 

A new way to eavesdrop on people’s mobile phone calls has come to light in the form of Spearphone – an attack that makes use of Android devices’ on-board accelerometers (motion sensors) to infer speech from the devices’ speakers.

An acronym for “Speech privacy exploit via accelerometer-sensed reverberations from smartphone loudspeakers,” Spearphone was pioneered by an academic team from the University of Alabama at Birmingham and Rutgers University.

They discovered that essentially, any audio content that comes through the speakers when used in speakerphone mode can be picked up by certain accelerometers in the form of sound-wave reverberations. And because accelerometers are always on and don’t require permissions to provide their data to apps, a rogue app or malicious website can simply listen to the reverberations in real time, recording them or livestreaming them back to an adversary, who can analyze and infer private data from them. more

Spanish App Works Like Spanish Fly... undercover

Spain’s data protection agency has fined the country’s soccer league, LaLiga, €250,000 (about $280,000) for allegedly violating EU data privacy and transparency laws. The app, which is used for keeping track of games and stats, was using the phone’s microphone and GPS to track bars illegally streaming soccer games...

Using a Shazam-like technology, the app would record audio to identify soccer games, and use the geolocation of the phone to locate which bars were streaming without licenses. more

More Than 1,000 Android Apps Spy... even when you deny permission!

Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don't want a flashlight app to be able to read through your call logs, you should be able to deny that access.

But... even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back...

Google said it would be addressing the issues in Android Q, which is expected to release this year.  more